Brian Krebs of the Washington Post reports that, over the past week, MySpace and other websites ran a banner advertisement that infected over a million users with spyware using a Windows security flaw. The banner ad was designed to take advantage of a serious security weakness in the way Windows renders Windows Metafile (WMF) images. The flaw was originally patched by Microsoft in January.
Unpatched Internet Explorer users who visited the websites that displayed the malicious banners would become infected by a Trojan horse. The Trojan would then download and install spyware that tracks the infected machine's web usage and displays pop-up ads. Thanks to the nature of the security flaw and the way Trojan horse's work, the malicious activity would go unnoticed by the user.
This event should come as further incentive to keep your computer up to date. Patched machines that viewed the banners were completely unaffected.